Should you hack back?

“What has been will be again, what has been done will be done again; there is nothing new under the sun.” [Eccles 1:9] This is true of concepts in Information Security as much as anything else. My article last week, about thinking like a hacker to better secure your network, echoes a theme I heard much expounded in the mid-1990s about hacking your network to stay secure; the concept of data and services in the cloud is an updated version of the idea of managed services back in the early 2000s; and so on.

Another old idea that's currently being rehashed is that if you are attacked, and you can find out who your attacker is, you can consider retaliating and disabling his own machine or network. The idea is not to get revenge but rather to stop him from stealing any more of your information or bringing down your machines. David Navetta, a prominent Denver attorney, feels that if you are in the midst of being attacked, and you can figure out exactly where it's coming from, that there's no reason not to stop the hacker.

I disagree. The scenario that Navetta seems to be describing is one where a lone and probably unsophisticated hacker is attempting to infiltrate your network, but that scenario is less and less prevalent these days. Even in the 1980s, hackers often operated in pairs or groups; these days, they are often part of a collective. The supposition that your attacker is a single person and can be counterattacked may be tragically (for your enterprise) false.

In addition, DDoS attacks, which by their very nature are difficult, if not impossible, to trace to their origins, are one of the most popular methods for hacking large enterprises. Hacker groups have entire networks, called botnets, doing their work for them. Your tracing efforts may lead you to innocent individuals who have no idea their machines are being used in this way. If you “hack back” at those machines, you're breaking the law as much as your attacker, and much more than the botnet members, who are ignorant of what is happening. And as for your actual attacker, the worst thing you're going to do to him is make him mad enough to keep hacking you.

“Hack back” sounds like a good idea for about five minutes, until you think of the potential ramifications. The best thing to do if you're being attacked is isolate your network and involve the authorities. They may already have a good idea who is to blame, which is information to which you, as a business owner, are not privy. You can probably assist with information, but don't try to take on a hacker yourself.

Mary Ursula Herrmann

Mary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.